Project

General

Profile

Feature #11815

Have Tails::Download::HTTPS require TLS 1.2+

Added by intrigeri about 3 years ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
09/20/2016
Due date:
% Done:

100%

Feature Branch:
perl5lib:feature/11815-tls-1.2
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Upgrader

Description

We currently set CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1. In Jessie, CURL_SSLVERSION_TLSv1_2 should be supported, and the websites we use this class for (i.e. our own one) support TLS 1.2. This will affect Tails Upgrader and (once #11810 is done) tails-security-check. The diff is trivial, we simply need to test that it actually works, and build a new tails-perl5lib package.


Related issues

Related to Tails - Feature #14588: Self-host our website Resolved 10/03/2018

Associated revisions

Revision 8f9075a8 (diff)
Added by intrigeri 9 months ago

Enable the feature-11815-tls-1.2 APT overlay (refs: #11815).

Revision 8e08104e
Added by intrigeri 9 months ago

Merge branch 'feature/11815-tls-1.2' into devel (Fix-committed: #11815)

History

#1 Updated by intrigeri 12 months ago

#2 Updated by intrigeri 11 months ago

  • Status changed from Confirmed to In Progress
  • Assignee set to segfault
  • Target version set to Tails_3.12
  • % Done changed from 0 to 30
  • QA Check set to Ready for QA
  • Feature Branch set to perl5lib:feature/11815-tls-1.2

Tested only by patching the relevant 2 lines in a running Tails, restarted the 2 systemd --user services that use this code (tails-security-check.service, tails-upgrade-frontend.service), made sure they worked fine.

If you're happy with the branch, please merge into perl5lib:master then I'll do a release, build a package, upload to an APT overlay suite, and make sure our test suite still passes before merging this into tails.git:devel.

#3 Updated by intrigeri 9 months ago

  • Assignee deleted (segfault)

#4 Updated by lamby 9 months ago

  • Assignee set to intrigeri
  • QA Check changed from Ready for QA to Pass

LGTM. I can't seem to push to master here though so you will have to do the merge (it fast-forwards so not a problem…)

I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.

#5 Updated by hefee 9 months ago

lamby wrote:

LGTM. I can't seem to push to master here though so you will have to do the merge (it fast-forwards so not a problem…)

I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.

Checked with @intrigeri by hand the two scripts (tails-security-check.service, tails-upgrade-frontend.service), that are affected. We made sure, that the scripts fail if the patch would add wired stuff and that jenkins will also check the outcomes.

#6 Updated by intrigeri 9 months ago

  • % Done changed from 30 to 60
  • QA Check changed from Pass to Ready for QA

Released + uploaded 2.0.2-1 to our feature-11815-tls-1.2 overlay. Let's see what Jenkins thinks.

#7 Updated by intrigeri 9 months ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 60 to 100

#8 Updated by intrigeri 9 months ago

  • Assignee deleted (intrigeri)
  • QA Check changed from Ready for QA to Pass

#9 Updated by anonym 9 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF